Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-16753

Project websites are still accessible via http

    Details

    • Type: Task
    • Status: Waiting for Infra
    • Priority: Critical
    • Resolution: Unresolved
    • Fix Version/s: None
    • Component/s: Website
    • Labels:
      None
    • Project:
      Foundation

      Description

      In a long and protracted discussion with the moderator of announce@apache.org, we were reminded that:

      https://www.apache.org/dev/release-distribution#download-links

      "All links to checksums, detached signatures and public keys MUST reference www.apache.org/dist/ using https:// (TLS)."

      However, there is no point in these links being https unless the websites are forcibly redirected from http -> https.

      The current Infra setup allows URLs such as:

      http://httpd.apache.org/

      which are not forcibly redirected to the https (TLS) version. This makes the https:// links in the project download page untrustable, as they could be altered in transit.

      It's 2018, and every browser (even the lowly w3m) has TLS compatibility. Please forcibly redirect all project and foundation websites to https:// versions from http:// versions. You might want to go so far as to submit apache.org for HSTS preload, as there is no reason we wouldn't want to do so:

      https://hstspreload.org/

      The moderator of announce@apache.org with whom I interacted (who has chosen so far to remain nameless) agreed that this is a good idea, and that I should take it up with Infra.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              wohali Joan Touzet
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: